MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603
SHA3-384 hash: c8f54f2efe681a9104f69cba7454e07b6f7e09a7c3b8cd4428bc7182d7e2062464e04e0140d5118e55c89334f47d8931
SHA1 hash: 6218763be2cbe2621f755b512a239c3398b8d983
MD5 hash: cc7a485c32766700f3203c172325fe53
humanhash: edward-zebra-missouri-lion
File name:cc7a485c32766700f3203c172325fe53.exe
Download: download sample
Signature TrickBot
Create hunting rule
File size:426'179 bytes
First seen:2021-02-13 20:09:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d69255e451e9c23b553083b8696640b (2 x TrickBot, 1 x BazaLoader)
ssdeep 6144:hJJXc3d7aQ2hSAjxqrMiYRTuzOys5yWYPMpemzE+c8MWnvzv6pRc:dXc3dLoSAorM5wMpe1OnvMR
Threatray 3'041 similar samples on MalwareBazaar
TLSH 9C94BF37A488F9A1D6373A310C66D578062F5C4414035E4B3494BEDDAE3AB83AEB537E
Reporter abuse_ch
Tags:exe TrickBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cc7a485c32766700f3203c172325fe53.exe
Verdict:
Malicious activity
Analysis date:
2021-02-13 20:11:52 UTC
Tags:
trojan trickbot loader evasion
Link:
https://app.any.run/tasks/52e4632d-57e9-47d4-851a-7ac016812bfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117048/
Detection(s):
Win.Trojan.Generic-9831714-0
Create hunting rule

SecuriteInfo.com.Variant.Graftor.919591.1451.21902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/607473
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-02-13 11:43:42 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10
TrickBot
3a214b848b9d317e2c8dfdc7a2e55ee7893b6e4aadc335992d3425480c7eb8b6
TrickBot
43bf403865a31b4b2628650b0dfd6486fd6b45e6ae2a52fa09433c3f5b7d3163
TrickBot
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
TrickBot
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
TrickBot
6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5
TrickBot
98dd45b3ce7ca621aa88bad8750770c166ca9146b0ce916be6222d78b8c8fd78
TrickBot
ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466
TrickBot
bb906b8a7a14d7441f2f28ef75834f8d2c80c1f1330c68f3ada238f824300f70
TrickBot
f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee
TrickBot
+ 3'031 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:yas28 banker trojan
Link:
https://tria.ge/reports/210213-xvgyh7zp6s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
e5091c9b010f7b5acc73bd04653a42af5ebcee31476a9fc05e9f4774c9f000a4
MD5 hash:
c6b43c403351bd6613e3e01223d2f9db
SHA1 hash:
1e2b311107d7f211e7d0a46221c394d9665f4128
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/cfaa7aa5-f283-4165-bacc-5b2927290535/
Parent samples :
43bf403865a31b4b2628650b0dfd6486fd6b45e6ae2a52fa09433c3f5b7d3163
ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466
62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603
SH256 hash:
27d8cdd0b620b05a532db8de0c7fcbc312ecca4ea8996348428adf6e170d2a90
MD5 hash:
8f81aa1499babe8d4afa76c9d1ab3ecb
SHA1 hash:
17a79a5db27d233acbbbcfdaab14f38d7a586393
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/cfaa7aa5-f283-4165-bacc-5b2927290535/
SH256 hash:
62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603
MD5 hash:
cc7a485c32766700f3203c172325fe53
SHA1 hash:
6218763be2cbe2621f755b512a239c3398b8d983
Link:
https://www.unpac.me/results/cfaa7aa5-f283-4165-bacc-5b2927290535/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TrickBot

Executable exe 62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1003137/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117048/

Comments